This is a static archive of our old Q&A Site. Please post any new questions and answers at

Using wireshark to detect facebook login and chat?


Hi there. Im having a bit of difficulty trying to decipher all the packet info on my machine and was looking for a way to detect the information easier.

Im looking to detect a facebook successful login via wireshark as well as detecting if a user uses the chat feature. But i have no idea what all these packets are that are showing up. Is there a filtering option that can be setup just to detect facebook information?


asked 05 Jul '11, 04:01

jgraham95's gravatar image

accept rate: 0%

3 Answers:


Assuming the monitored Facebook chat users are not using IM-encryption clients, you can watch Facebook chat messages by applying this display filter: json contains message

Login is encrypted over SSL, so it would be difficult (if not impossible) for a display filter to detect whether a login is successful. You can, however, detect SSL Facebook traffic (which might be for login) using this display filter: tcp contains facebook and ssl

EDIT: Facebook supports Secure Browsing, which encrypts all Facebook traffic, including chat messages. They've also updated their chat protocol. See recent post.

answered 05 Jul '11, 22:43

helloworld's gravatar image

accept rate: 28%

edited 22 Jan '12, 08:31

thanks again. :)

(06 Jul '11, 07:44) jgraham95


The easiest way to follow facebook chats is to use the search function. Use the searchstring 'subject":"","body":"' and search for the string in the packet bytes. As result you see only the text which is displayed on the users screen, no matter whether the transmission is encrypted or not.

answered 22 Jan '12, 01:30

Anon's gravatar image

accept rate: 16%


As result you see only the text which is displayed on the users screen, no matter whether the transmission is encrypted or not.

That's incorrect. If one were easily able to read encrypted traffic simply by using search functions in Wireshark (or any other packet sniffer), that would defeat the purpose of encryption.

You can prove this to yourself by enabling "Secure Browsing" in Facebook (Account Settings > Security > Secure Browsing) and then trying your Wireshark filter on live chat traffic.

(22 Jan '12, 08:23) helloworld

The above described search shows the html-packages, which are displayed on the receivers screen and not the encrypted message package. I for myself use facebook with secure browsing and can read my own messages in the captured traffic easily, even so there are encrypted in the relevant packages. Don't ask me why, but I tested it this way, and was astonished that i could read it anyway....

(25 Jan '12, 08:22) Anon

It should be obvious that your chat message(s) are not actually encrypted (in your particular case). To say that Facebook chats are readable in Wireshark despite it being encrypted is overgeneralizing.

I've confirmed that Secure Browsing still (as of today) encrypts my chat messages as well as other Facebook traffic. However, I did notice a small hiccup immediately after setting Secure Browsing from off to on: one of my chat messages came through in cleartext, but encryption took effect thereafter.

Rest assured, your chat messages are secure (except the first one sometimes ;).

(25 Jan '12, 17:05) helloworld


i don't know

answered 16 Oct '11, 18:59

dyess002's gravatar image

accept rate: 0%

ok, so what would a facebook packet look like?

(16 Oct '15, 11:31) Steve328